Troubleshoot the Splunk Add-on for Microsoft Security

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons. You can also access these support and resource links.

Useful Searches

Search the internal index for logs specific to the add-on. Search queries are added in dashboard panels for displaying the error to users. Error information can be viewed in Dashboards provided by Add-on, see MS Security TA Errors Dashboard.

403 Forbidden Error

This error message "Missing Application Roles. API required roles: …" implies that your Azure Active Directory Account does not have necessary permissions for fetching the data.

ERROR pid=<pid> tid=<thread> file=ms_security_utils.py:get_atp_alerts_odata:274 | {'error': {'code': 'Forbidden', 'message': 'Missing application roles. API required roles: SecurityIncident.Read.All,SecurityIncident.ReadWrite.All, application roles: SecurityEvents.Read.All,User.Read.All.', 'innerError': '...'}}
Traceback (most recent call last):
 File "/opt/splunk/etc/apps/Splunk_TA_MS_Security/bin/ms_security_utils.py", line 254, in get_atp_alerts_odata
   r.raise_for_status()
 File "/opt/splunk/etc/apps/Splunk_TA_MS_Security/lib/requests/models.py", line 1021, in raise_for_status
   raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url:<your_url>

You can refer to the Configure Permissions document and add the missing permissions mentioned in the error message to resolve the error.

To use Microsoft Graph API to collect data, set the parameter '''environment/location''' ending with '''- Graph API''' while configuring an input in the add-on. You need to set the permissions for Graph API accordingly as well.

SSL certificate issue

If you encounter a SSL: CERTIFICATE_VERIFY_FAILED issue, the SSL certificate entry might be missing from your certificate store. Resolve the issue by adding the certificate to your add-on trust list.

The Splunk Add-on for Microsoft Security uses the Python requests library to make REST calls to Microsoft. Requests will throw this SSL error if it's unable to verify the certificate. For more information, see https://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

• Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/lib/certifi
• Edit cacert.pem file
• Append the contents of your root certificate to this file
• Restart Splunk

New extractions don't work

If extractions don't work, try disabling the inputs of 'Microsoft 365 Defender Add-on for Splunk' and then disable the 'Microsoft 365 Defender Add-on for Splunk' and check if the extractions are applied

To disable the inputs and the add-on:

1. Navigate to Add-on > Inputs
2. Disable input by selecting "Disable" in the dropdown list.
3. Navigate to Apps > Manage Apps
4. Disable the Microsoft 365 Defender Add-on for Splunk by clicking "Disable"..

Data duplication in the ms365:defender:incident:alerts sourcetype

Data duplication is an expected behavior in ms365:defender:incident:alerts sourcetype. See the Sourcetypes topic in this manual for more information.

Issue in Data Collection

If any issue in data collection persists, verify appropriate permissions are set for the configured account on Azure Active Directory Portal. See the Hardware and software requirements topic in this manual for more information.